Install WSUS 3.0 - Step-By-Step
I've managed to compose a quick installation procedure for those of you who want to utilize the great free utility from microsoft...
Enjoy!
Pre-Requisites
- IIS 6.0 with ASP.net installed (windows Components).
go to control panel à add/remove programs à Windows Components
check application server and click details.
make sure that application server console and ASP.net are check and then check Internet Information Services and click Details.
make sure that BITS, Common files, Internet Information Services Manager, and then click world wide web service and click details:
make sure that Active server pages and world wide web service are check and click OK twice and click next.
Click Finish. - MMC 3.0 (no need if win2003 sp2 exists).
- .net framework 2.0 (exists as part of windows server R2 or available for download from Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5)
- Microsoft Report Viewer Setup (available for download from Microsoft at http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367)
Wsus3.0 Installation
Install Wsus 3.0 from location: http://www.microsoft.com/downloads/details.aspx?FamilyId=E4A868D7-A820-46A0-B4DB-ED6AA4A336D9
Check I Accept and then click next.
Check the Store updates locally and type D:\Wsus (or any other folder. Recommended not to use your system partition for storing WSUS updates) on the path to save the updates. Then click next.
Chose Install Use and Existing server Database on this computer and leave the path on default (same location as WSUS update). Then click next.
Click Next.
Check "Use existing IIS Default Web Site" and click next.
WSUS Configuration Wizard
After the setup ends, the following screen will open up:
Click Next.
Check the I would like to join box and click Next.
Choose synchronize from Microsoft update, and click next.
In case you have a proxy server on you organization specify proxy settings, else leave all settings at default and click next. It is recommended to set the WSUS to work without a proxy server and allow it a direct connection to the internet (open the appropriate ports on the FW).
In the connect to upstream server page, click start connecting. After the server has finished the initial sync, the next button will be available. Click next.
In the choose language window, choose English and Hebrew (or any other language of your choice) and click next.
On the choose products page, check the products you wish to sync (default, windows – all version, office – all versions, Exchange – all versions). Then click next.
On the choose classifications page, choose all classifications and click next.
On the sync schedule page, choose synchronize automatically when first sync is at 12:00:00AM and the sync per day setting is set to 24. Then click next.
On the finished page, check both checkboxes and click finish.
WSUS initial configuration
On the Update service administrator console that opens when the setup ends, click options and on the options tab. On the options window, click automatic approvals.
On the automatic approval window, check the default automatic approval rule (automaticly approves critical and security updates) and click new rule if you wish to add additional auto-approve rules for specific products or classifications.
On the add rule wizard specify any other auto approve rules that you wish by product or classification.
On the choose product window, check only forefront-forefront client security and click ok.
Back on the add rule window under step 3, type rule name (ex. FCS Update rule) and click ok twice.
Defining WSUS Update Policy (GPO)
Open Group Policy Management Console (GPMC). Start -> Run -> write gpmc.msc -> OK.
Right click on the Group policy objects container and click new.
Write the policy name and click OK.
Expand the group policy objects container and then right-click the object you have just created and click edit.
Expand the Computer configuration -> Administrative Templates -> Windows Components -> Windows Update.
Now configure the following options:
- Configure Automatic Updates
- On the specify internet Microsoft update service location, enter the netbios name that your internal clients will need to address when connecting to the wsus server.
Recommended settings
- Client Side targeting Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.
If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
note: in order for this to work, you need to create groups in the WSUS server.
- Reschedule automatic updates scheduled installations Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.
- No auto-restart Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.
- Automatic updates detection frequency Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.
- Allow automatic updates immediate installation Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.
- Allow non-administrators to receive update notifications pecifies whether, when logged on, non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.
If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.
After finished configuring the GPO, go back to the GPMC console and link the GPO to the OU that contains the computer objects you wish to work with the WSUS server. Do this by right clicking the OU and choosing link an existing GPO.